I need to configure an alert to run on last business day of the month.
How to write the Cron expression for it?
I don't think the Splunk cron can provide you last business day. What you can do is to run your alert search to last 7 days of the month. Then within your search, add a logic so that if it's not the last business day of month, the search should not produce the result for alert.
For Example, you can use cron 5 4 25-31 * *
to run the search “At 04:05 on the 25, 26, 27, 28, 29, 30 and 31st of every month.”
. Then you can add following subsearch to your main search so that it would return 1=1 when it's last working day of the month, 1=2 otherwise
| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query
e.g. an alert for checking error count in Splunk's internal logs would be like this
index=_internal sourcetype=splunkd log_level=ERROR [ | gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query ]
I don't think the Splunk cron can provide you last business day. What you can do is to run your alert search to last 7 days of the month. Then within your search, add a logic so that if it's not the last business day of month, the search should not produce the result for alert.
For Example, you can use cron 5 4 25-31 * *
to run the search “At 04:05 on the 25, 26, 27, 28, 29, 30 and 31st of every month.”
. Then you can add following subsearch to your main search so that it would return 1=1 when it's last working day of the month, 1=2 otherwise
| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query
e.g. an alert for checking error count in Splunk's internal logs would be like this
index=_internal sourcetype=splunkd log_level=ERROR [ | gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query ]
when I try to use it with my search as below it is not taking the result of subsearch as a condition
index=MyIndex queryType="ts" filename=Pharmacy_*.JSON | table filename | stats count(filename) as JSONFiles [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query]
Result: I am getting error that (1=2) is invalid argument for Status
The main search is not taking the subsearch query result as a condition
The subsearch should be added to base search portion (before first Pipe). Try this
index=MyIndex queryType="ts" filename=Pharmacy_*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query] | table filename | stats count(filename) as JSONFiles
It is not working, is there a typo in my query, I have removed the "
in the subsearchto make the output boolean.
I am getting the response even when the run day is not Last working day of the month, it is not taking the gentimes
subsearch result as condition to process the search part after fist |
.
index=MyIndex queryType="ts" filename=Pharmacy*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,1=1,1=2) | table query] | table _time,accountName,filename,filesize
Lets try this. If it doesn't work, just the subsearch separately and check what you get as index.
index=MyIndex queryType="ts" filename=Pharmacy*.JSON [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval index=if(relative_time(now(),"@d")=lastWDOM,"MyIndex","YouWillNotFindThisIndex") | table index] | table _time,accountName,filename,filesize
I tried as below and I am getting a response
index=MyIndex queryType="ts" filename=Pharmacy_*.JSON | table filename | stats count(filename) as JSONFiles | appendcols [| gentimes start=-1 | eval lastDOM=relative_time(now(),"+1mon@mon-1d") | eval lastWDOM=case(strftime(lastDOM,"%a")="Sun", relative_time(lastDOM,"-2d@d"),strftime(lastDOM,"%a")="Sat", relative_time(lastDOM,"-1d@d"),1=1,lastDOM) | eval query=if(relative_time(now(),"@d")=lastWDOM,"1=1","1=2") | table query]| where query="1=2"|table JSONFiles